Ports Showing Closed/Filtered in Nmap Scans





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}







3















hopefully this isn't a stupid question.. I am running some nmap scans and I get a list of ports that show closed. Why would they even show in the scan report? Can these be exploited further with other nmap switches such as zombie scans etc? I specified all ports in my scan using -p- .My thought is that it would show a large list of all closed ports on my system not just those?



Here is the command I ran: nmap -iL axisips.txt -A -sV -p- > axisnmapresults2.txt



Host is up (0.062s latency).
Not shown: 65525 filtered ports
PORT STATE SERVICE VERSION
17/tcp closed qotd
19/tcp closed chargen
25/tcp closed smtp
111/tcp closed rpcbind
136/tcp closed profile
137/tcp closed netbios-ns
138/tcp closed netbios-dgm
139/tcp closed netbios-ssn
443/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0










share|improve this question

























  • what were the port nos?

    – JOW
    yesterday






  • 1





    Added in Original post

    – john_zombie
    yesterday




















3















hopefully this isn't a stupid question.. I am running some nmap scans and I get a list of ports that show closed. Why would they even show in the scan report? Can these be exploited further with other nmap switches such as zombie scans etc? I specified all ports in my scan using -p- .My thought is that it would show a large list of all closed ports on my system not just those?



Here is the command I ran: nmap -iL axisips.txt -A -sV -p- > axisnmapresults2.txt



Host is up (0.062s latency).
Not shown: 65525 filtered ports
PORT STATE SERVICE VERSION
17/tcp closed qotd
19/tcp closed chargen
25/tcp closed smtp
111/tcp closed rpcbind
136/tcp closed profile
137/tcp closed netbios-ns
138/tcp closed netbios-dgm
139/tcp closed netbios-ssn
443/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0










share|improve this question

























  • what were the port nos?

    – JOW
    yesterday






  • 1





    Added in Original post

    – john_zombie
    yesterday
















3












3








3








hopefully this isn't a stupid question.. I am running some nmap scans and I get a list of ports that show closed. Why would they even show in the scan report? Can these be exploited further with other nmap switches such as zombie scans etc? I specified all ports in my scan using -p- .My thought is that it would show a large list of all closed ports on my system not just those?



Here is the command I ran: nmap -iL axisips.txt -A -sV -p- > axisnmapresults2.txt



Host is up (0.062s latency).
Not shown: 65525 filtered ports
PORT STATE SERVICE VERSION
17/tcp closed qotd
19/tcp closed chargen
25/tcp closed smtp
111/tcp closed rpcbind
136/tcp closed profile
137/tcp closed netbios-ns
138/tcp closed netbios-dgm
139/tcp closed netbios-ssn
443/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0










share|improve this question
















hopefully this isn't a stupid question.. I am running some nmap scans and I get a list of ports that show closed. Why would they even show in the scan report? Can these be exploited further with other nmap switches such as zombie scans etc? I specified all ports in my scan using -p- .My thought is that it would show a large list of all closed ports on my system not just those?



Here is the command I ran: nmap -iL axisips.txt -A -sV -p- > axisnmapresults2.txt



Host is up (0.062s latency).
Not shown: 65525 filtered ports
PORT STATE SERVICE VERSION
17/tcp closed qotd
19/tcp closed chargen
25/tcp closed smtp
111/tcp closed rpcbind
136/tcp closed profile
137/tcp closed netbios-ns
138/tcp closed netbios-dgm
139/tcp closed netbios-ssn
443/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0







firewalls nmap ports port-knocking






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited yesterday







john_zombie

















asked yesterday









john_zombiejohn_zombie

7811




7811













  • what were the port nos?

    – JOW
    yesterday






  • 1





    Added in Original post

    – john_zombie
    yesterday





















  • what were the port nos?

    – JOW
    yesterday






  • 1





    Added in Original post

    – john_zombie
    yesterday



















what were the port nos?

– JOW
yesterday





what were the port nos?

– JOW
yesterday




1




1





Added in Original post

– john_zombie
yesterday







Added in Original post

– john_zombie
yesterday












1 Answer
1






active

oldest

votes


















7














To avoid 65K+ lines of mostly-useless output, Nmap collapses most "uninteresting" results into a line that says something like "Not shown: 65530 filtered ports." Open ports are never collapsed this way, but closed (TCP RST) and filtered (no response or ICMP admin-prohibited) ports are only shown if there are fewer than a certain number.



In your case, I would guess that most of the ports are "filtered" but a few are "closed" instead. There are many reasons this might be the case, but the most likely are:




  1. Something between you and the target is blocking access to those ports by spoofing RST replies. This is common with residential ISPs blocking ports 137, 139, and 445, among others.

  2. The target's firewall is allowing those ports, but there is no service running on them.


EDITED TO ADD: Based on the actual port output, I'm pretty sure this is ISP filtering (spoofing closed-port responses). Ports 17 and 19 are commonly used as DDoS amplifiers (though UDP, not TCP). Ports 137-139 and 445 have been exploited on Windows by network worms. Port 25 is for email servers, so ISPs block it unless you buy a business-class connection. I'm not sure about 111 and 136; those could be legitimately closed, or they could be blocked for some other reason. Add the --reason option to your scan to see details about IP Time-to-Live (TTL) in the response; abnormally high TTL values can indicate ISP blocking, especially if the TTL value for open ports is several hops lower (usually between 5 and 15 hops different or so).






share|improve this answer


























  • So just because its showing closed it means its not running but available?

    – john_zombie
    yesterday











  • @john_zombie Basically yes. A "port" is just an address, a number on a packet. A process on a machine can "listen" on the port, which means it tells the OS, "when a connection comes in with this port number, give it to me." When that happens, the port is "open." If no process has asked for a particular number, then a probe to that port will be rejected ("closed"). The firewall inspects connections before any of this and may drop or reject connections regardless of whether a process wants them. So "filtered" means "could be open or closed, but you can't use it anyway."

    – bonsaiviking
    yesterday











  • so nothing here to report on my pentest? Seems like the firewall is doing its job.

    – john_zombie
    yesterday












Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f207605%2fports-showing-closed-filtered-in-nmap-scans%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









7














To avoid 65K+ lines of mostly-useless output, Nmap collapses most "uninteresting" results into a line that says something like "Not shown: 65530 filtered ports." Open ports are never collapsed this way, but closed (TCP RST) and filtered (no response or ICMP admin-prohibited) ports are only shown if there are fewer than a certain number.



In your case, I would guess that most of the ports are "filtered" but a few are "closed" instead. There are many reasons this might be the case, but the most likely are:




  1. Something between you and the target is blocking access to those ports by spoofing RST replies. This is common with residential ISPs blocking ports 137, 139, and 445, among others.

  2. The target's firewall is allowing those ports, but there is no service running on them.


EDITED TO ADD: Based on the actual port output, I'm pretty sure this is ISP filtering (spoofing closed-port responses). Ports 17 and 19 are commonly used as DDoS amplifiers (though UDP, not TCP). Ports 137-139 and 445 have been exploited on Windows by network worms. Port 25 is for email servers, so ISPs block it unless you buy a business-class connection. I'm not sure about 111 and 136; those could be legitimately closed, or they could be blocked for some other reason. Add the --reason option to your scan to see details about IP Time-to-Live (TTL) in the response; abnormally high TTL values can indicate ISP blocking, especially if the TTL value for open ports is several hops lower (usually between 5 and 15 hops different or so).






share|improve this answer


























  • So just because its showing closed it means its not running but available?

    – john_zombie
    yesterday











  • @john_zombie Basically yes. A "port" is just an address, a number on a packet. A process on a machine can "listen" on the port, which means it tells the OS, "when a connection comes in with this port number, give it to me." When that happens, the port is "open." If no process has asked for a particular number, then a probe to that port will be rejected ("closed"). The firewall inspects connections before any of this and may drop or reject connections regardless of whether a process wants them. So "filtered" means "could be open or closed, but you can't use it anyway."

    – bonsaiviking
    yesterday











  • so nothing here to report on my pentest? Seems like the firewall is doing its job.

    – john_zombie
    yesterday
















7














To avoid 65K+ lines of mostly-useless output, Nmap collapses most "uninteresting" results into a line that says something like "Not shown: 65530 filtered ports." Open ports are never collapsed this way, but closed (TCP RST) and filtered (no response or ICMP admin-prohibited) ports are only shown if there are fewer than a certain number.



In your case, I would guess that most of the ports are "filtered" but a few are "closed" instead. There are many reasons this might be the case, but the most likely are:




  1. Something between you and the target is blocking access to those ports by spoofing RST replies. This is common with residential ISPs blocking ports 137, 139, and 445, among others.

  2. The target's firewall is allowing those ports, but there is no service running on them.


EDITED TO ADD: Based on the actual port output, I'm pretty sure this is ISP filtering (spoofing closed-port responses). Ports 17 and 19 are commonly used as DDoS amplifiers (though UDP, not TCP). Ports 137-139 and 445 have been exploited on Windows by network worms. Port 25 is for email servers, so ISPs block it unless you buy a business-class connection. I'm not sure about 111 and 136; those could be legitimately closed, or they could be blocked for some other reason. Add the --reason option to your scan to see details about IP Time-to-Live (TTL) in the response; abnormally high TTL values can indicate ISP blocking, especially if the TTL value for open ports is several hops lower (usually between 5 and 15 hops different or so).






share|improve this answer


























  • So just because its showing closed it means its not running but available?

    – john_zombie
    yesterday











  • @john_zombie Basically yes. A "port" is just an address, a number on a packet. A process on a machine can "listen" on the port, which means it tells the OS, "when a connection comes in with this port number, give it to me." When that happens, the port is "open." If no process has asked for a particular number, then a probe to that port will be rejected ("closed"). The firewall inspects connections before any of this and may drop or reject connections regardless of whether a process wants them. So "filtered" means "could be open or closed, but you can't use it anyway."

    – bonsaiviking
    yesterday











  • so nothing here to report on my pentest? Seems like the firewall is doing its job.

    – john_zombie
    yesterday














7












7








7







To avoid 65K+ lines of mostly-useless output, Nmap collapses most "uninteresting" results into a line that says something like "Not shown: 65530 filtered ports." Open ports are never collapsed this way, but closed (TCP RST) and filtered (no response or ICMP admin-prohibited) ports are only shown if there are fewer than a certain number.



In your case, I would guess that most of the ports are "filtered" but a few are "closed" instead. There are many reasons this might be the case, but the most likely are:




  1. Something between you and the target is blocking access to those ports by spoofing RST replies. This is common with residential ISPs blocking ports 137, 139, and 445, among others.

  2. The target's firewall is allowing those ports, but there is no service running on them.


EDITED TO ADD: Based on the actual port output, I'm pretty sure this is ISP filtering (spoofing closed-port responses). Ports 17 and 19 are commonly used as DDoS amplifiers (though UDP, not TCP). Ports 137-139 and 445 have been exploited on Windows by network worms. Port 25 is for email servers, so ISPs block it unless you buy a business-class connection. I'm not sure about 111 and 136; those could be legitimately closed, or they could be blocked for some other reason. Add the --reason option to your scan to see details about IP Time-to-Live (TTL) in the response; abnormally high TTL values can indicate ISP blocking, especially if the TTL value for open ports is several hops lower (usually between 5 and 15 hops different or so).






share|improve this answer















To avoid 65K+ lines of mostly-useless output, Nmap collapses most "uninteresting" results into a line that says something like "Not shown: 65530 filtered ports." Open ports are never collapsed this way, but closed (TCP RST) and filtered (no response or ICMP admin-prohibited) ports are only shown if there are fewer than a certain number.



In your case, I would guess that most of the ports are "filtered" but a few are "closed" instead. There are many reasons this might be the case, but the most likely are:




  1. Something between you and the target is blocking access to those ports by spoofing RST replies. This is common with residential ISPs blocking ports 137, 139, and 445, among others.

  2. The target's firewall is allowing those ports, but there is no service running on them.


EDITED TO ADD: Based on the actual port output, I'm pretty sure this is ISP filtering (spoofing closed-port responses). Ports 17 and 19 are commonly used as DDoS amplifiers (though UDP, not TCP). Ports 137-139 and 445 have been exploited on Windows by network worms. Port 25 is for email servers, so ISPs block it unless you buy a business-class connection. I'm not sure about 111 and 136; those could be legitimately closed, or they could be blocked for some other reason. Add the --reason option to your scan to see details about IP Time-to-Live (TTL) in the response; abnormally high TTL values can indicate ISP blocking, especially if the TTL value for open ports is several hops lower (usually between 5 and 15 hops different or so).







share|improve this answer














share|improve this answer



share|improve this answer








edited yesterday

























answered yesterday









bonsaivikingbonsaiviking

9,3812042




9,3812042













  • So just because its showing closed it means its not running but available?

    – john_zombie
    yesterday











  • @john_zombie Basically yes. A "port" is just an address, a number on a packet. A process on a machine can "listen" on the port, which means it tells the OS, "when a connection comes in with this port number, give it to me." When that happens, the port is "open." If no process has asked for a particular number, then a probe to that port will be rejected ("closed"). The firewall inspects connections before any of this and may drop or reject connections regardless of whether a process wants them. So "filtered" means "could be open or closed, but you can't use it anyway."

    – bonsaiviking
    yesterday











  • so nothing here to report on my pentest? Seems like the firewall is doing its job.

    – john_zombie
    yesterday



















  • So just because its showing closed it means its not running but available?

    – john_zombie
    yesterday











  • @john_zombie Basically yes. A "port" is just an address, a number on a packet. A process on a machine can "listen" on the port, which means it tells the OS, "when a connection comes in with this port number, give it to me." When that happens, the port is "open." If no process has asked for a particular number, then a probe to that port will be rejected ("closed"). The firewall inspects connections before any of this and may drop or reject connections regardless of whether a process wants them. So "filtered" means "could be open or closed, but you can't use it anyway."

    – bonsaiviking
    yesterday











  • so nothing here to report on my pentest? Seems like the firewall is doing its job.

    – john_zombie
    yesterday

















So just because its showing closed it means its not running but available?

– john_zombie
yesterday





So just because its showing closed it means its not running but available?

– john_zombie
yesterday













@john_zombie Basically yes. A "port" is just an address, a number on a packet. A process on a machine can "listen" on the port, which means it tells the OS, "when a connection comes in with this port number, give it to me." When that happens, the port is "open." If no process has asked for a particular number, then a probe to that port will be rejected ("closed"). The firewall inspects connections before any of this and may drop or reject connections regardless of whether a process wants them. So "filtered" means "could be open or closed, but you can't use it anyway."

– bonsaiviking
yesterday





@john_zombie Basically yes. A "port" is just an address, a number on a packet. A process on a machine can "listen" on the port, which means it tells the OS, "when a connection comes in with this port number, give it to me." When that happens, the port is "open." If no process has asked for a particular number, then a probe to that port will be rejected ("closed"). The firewall inspects connections before any of this and may drop or reject connections regardless of whether a process wants them. So "filtered" means "could be open or closed, but you can't use it anyway."

– bonsaiviking
yesterday













so nothing here to report on my pentest? Seems like the firewall is doing its job.

– john_zombie
yesterday





so nothing here to report on my pentest? Seems like the firewall is doing its job.

– john_zombie
yesterday


















draft saved

draft discarded




















































Thanks for contributing an answer to Information Security Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f207605%2fports-showing-closed-filtered-in-nmap-scans%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

數位音樂下載

When can things happen in Etherscan, such as the picture below?

格利澤436b